Hackers paralyze DC-area healthcare provider with cyberattack

MedStar, a Washington, DC-area healthcare provider, has reverted to using paper systems after a cyberattack its computer network completely offline.

Starting Monday morning, MedStar’s patients could no longer book appointments, and the healthcare provider’s 30,000 staff and 3,000 physicians were unable to access record systems, check their emails or even look up phone numbers, due to a computer virus infection. The system remained down Tuesday morning.

“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” spokeswoman Ann Nickels said in a statement. “We are working with our IT and cyber-security partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”

The organization, which operates 10 hospitals in Maryland, Virginia and the District, told AP that there was no evidence patient information had been stolen.

However, appointments and surgeries will be delayed, since it will take longer for lab results to be returned and for patients to receive tests, a nursing union representative told The Washington Post.

The incident comes only a week after a California hospital had its systems held hostage with ransomware – a type of virus that prevents computer networks from functioning unless a payment is made to the cybercriminals. The hackers initially demanded $3.6 million in the difficult-to-track bitcoin currency, but eventually settled for only $17,000 worth to return their systems to normal.

It’s unclear if the perpetrators of the MedStar attack are similarly demanding payment to make the provider’s information accessible again. As of Tuesday morning, there had been no such demand, a MedStar employee told RT.

Cybersecurity in hospitals is generally regarded as lacking. The healthcare sector suffered from the highest number of data breaches from 2010 to 2015, according to data from TrendMicro.

Hospitals aren’t currently required to disclose cyberattacks unless patient data is affected. However, Congress is debating several cybersecurity bills that would create nationwide data security standards.